Course info

Level

Intermediate

Updated

Dec 18, 2018

Duration

1h 40m

Description

In this course, Hunting for Fileless Malware, Tyler Hudak and Aaron Rosenmund tackle what exactly fileless malware is, why it is used by attackers, and the different defensive strategies that can be taken to defend your organizations from it. Learn about different examples of fileless malware techniques, the use of native tools (PowerShell and WMI), and the types of defenses you can use. By the end of this course, you’ll have a solid understanding of the various types of fileless malware and how best to defend against it.

About the author

Tyler Hudak has more than 15 years of experience performing malware analysis, computer forensics, and incident response for multiple organizations. He loves sharing the knowledge he has gained on these topics in his presentations and classes!

More from the author

About the author

Aaron M. Rosenmund is a system security and administration subject matter expert for several Federal systems, with a background in business administration and is recognized as subject matter expert in various technologies including virtualization and scripted automation. He is passionate about enabling the workforce to fully leverage the technologies.

Section Introduction Transcripts

Course OverviewHello everyone, I'm Aaron Rosenmund, a full-time cyber security author for Pluralsight, focused on security operations and incident response and a part-time member of the Florida International Guard where I focus on the development and implementation of defensive cyber operations. As a cyber operations specialist, you're always looking for the next evolution of threat that will test your defenses or cleverly hide from your instant response procedures. And in this course, I'm especially interested in the onset of fileless malware and have teamed up with a fellow author, Tyler Hudak, to gain some insight in this area. This is Tyler Hudak. I do incident response as my primary job and am a Pluralsight author. With my job, I get to see a number of different techniques that attackers are using to compromise organizations all over the world. One of the things I've seen being used more and more are fileless attacks. Because of this, it has become necessary for security analysts and organizations to understand these attacks, and more importantly, how to detect them. We are going to cover the reality of the term fileless; why it has become a popular method for exploitation of attackers; as well as the policies, settings, logs, and tools used to detect this behavior. By the end of this course, you will know what fileless malware is, what some of these attacks look like, and what you and your organization needs to do in order to detect these attacks. I hope you will join us in this Play by Play to learn more about fileless malware behavior and detection with Hunting Fileless Malware, at Pluralsight.

What is Fileless Malware?Hi, I'm Aaron Rosenmund. Welcome to Pluralsight. I'm a full-time author with a focus on cyber security and instant response, and part-time, I work with the Florida International Guard developing and implementing defensive cyber operations. I'm here with Tyler Hudak doing the Play by Play for Hunting Fileless Malware. Tyler, do you want to introduce yourself? Yeah, I'm Tyler Hudak. I work in incident response by trade. I am a part-time Pluralsight author, have done courses on malware analysis and document analysis. Yeah, awesome. You're here with the expert.

Why Do Attackers Use These Techniques?So we've talked a little bit about how these things work, these fileless malware attacks, and we gave an example in the last module, and then we've also talked kind of briefly about why attackers would use these because they can evade different things, but really, there's a bunch of ways to attack a system, or there's a bunch of different methods of exploits that malware uses. Why is this becoming so prevalent? Well, it really comes down to the fact that it's difficult to detect. The logging that is turned on on Windows systems by default, and unfortunately, most organizations, they don't turn logging on, or they don't enhance logging much past the defaults. And so a lot of this is not being logged, a lot of this activity is not being logged, and so these techniques become stealthy for the attackers. I mean, not only that, if you're living off the land, if you're using PowerShell, and you're using WMI, and you're using the tools that are already installed on the system, that means you don't have to download additional tools, which means you have less of a footprint on the system and on the network. It means that you know that the tools are already there. It's very easy for you to test because as an attacker, if I was going to attack an organization, I want to test my tools out beforehand, and if they have some custom Windows image, that means that my malware may not work like I expect it too. But if I use PowerShell, I know that the PowerShell on my computer is probably going to be the same PowerShell as on your computer. And so if I test it on my computer and it works, it's probably going to work on yours as well. Yeah, because it's part of the base OS. It's not like a third-party software that has to be enabled like a lot of the lower CVSS stuff that's coming out now that's like if this, and this, and this, then this exploit works whereas this is, yeah, it's on every single system and definitely going to be usable. Yeah, that's interesting.